PESCAN.IO - Analysis Report |
|||||
| File Structure: | |||||
|
|||||
| Information: |
| Size: 3,21 MB SHA-256 Hash: 0FE71F68AC9D705878FB5F95E37720E722B1DAE3C2F605803E43C1CFDA536B7C SHA-1 Hash: 481F5D282F92C4EBFC09612AE914C941786DF326 MD5 Hash: 5F7FA4BAC9FADBA77D53B4F10433C2C5 Imphash: 4F2F006E2ECF7172AD368F8289DC96C1 MajorOSVersion: 6 CheckSum: 00000000 EntryPoint (rva): 66720 SizeOfHeaders: 600 SizeOfImage: 394000 ImageBase: 0000000000400000 Architecture: x64 ImportTable: 36C000 Characteristics: 22 TimeDateStamp: 0 Date: 01/01/1970 File Type: EXE Number Of Sections: 15 ASLR: Disabled Section Names (Optional Header): .text, .rdata, .data, .pdata, .xdata, /4, /19, /32, /46, /65, /78, /90, .idata, .reloc, .symtab Number Of Executable Sections: 1 Subsystem: Windows Console |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 600 | 102600 | 1000 | 102415 |
| .rdata | 40000040 | 102C00 | 106200 | 104000 | 1061E0 |
| .data | C0000040 (Writeable) | 208E00 | 1C800 | 20B000 | 73F10 |
| .pdata | 40000040 | 225600 | 6000 | 27F000 | 5F28 |
| .xdata | 40000040 | 22B600 | 200 | 285000 | 9C |
| /4 | 42100040 | 22B800 | 200 | 286000 | 129 |
| /19 | 42100040 | 22BA00 | 33A00 | 287000 | 339FC |
| /32 | 42100040 | 25F400 | A400 | 2BB000 | A2A3 |
| /46 | 42100040 | 269800 | 200 | 2C6000 | 22 |
| /65 | 42100040 | 269A00 | 57000 | 2C7000 | 56E38 |
| /78 | 42100040 | 2C0A00 | 3A000 | 31E000 | 39E29 |
| /90 | 42100040 | 2FAA00 | 13C00 | 358000 | 13B65 |
| .idata | C0000040 (Writeable) | 30E600 | 600 | 36C000 | 516 |
| .reloc | 42000040 | 30EC00 | 4C00 | 36D000 | 4AA0 |
| .symtab | 42000000 | 313800 | 21C00 | 372000 | 21B60 |
| Entry Point: |
| The section number (1) have the Entry Point Information -> EntryPoint (calculated) - 65D20 Code -> E95BC7FFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC9CFC4881ECE000000048893C244889742408 • JMP 0XFFFFFFFFFFFFD760 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • INT3 • PUSHFQ • CLD • SUB RSP, 0XE0 • MOV QWORD PTR [RSP], RDI • MOV QWORD PTR [RSP + 8], RSI |
| Signatures: |
| Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler: |
| Detect It Easy (die) • PE+(64): compiler: Go(1.15.0-X.XX.X) • Entropy: 6.86494 |
| Suspicious Functions: |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| Ws2_32.DLL | socket | Create a communication endpoint for networking applications. |
| File Access: |
| runtime.exe os/exec.exe os.Exe internal/poll.exe MpCmdRun.exe null.inf.nanTrueTRUENullNULL.NaN.NAN.Inf.INFyaml.com.exe itab.*syscall.DLL .eq.syscall.DLL kernel32.dll scanstack - bad statusheadTailIndex overflowkernel32.dll not foundadvapi32.dll scanstack - bad statusheadTailIndex overflowkernel32.dll double waitws2_32.dll sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll sysMemStat overflowbad sequence numberntdll.dll in struct invalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileGetAddrInfoWadvapi32.dlliphlpapi.dllnetapi32.dll in struct invalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileGetAddrInfoWadvapi32.dlliphlpapi.dll in struct invalid slothost is downillegal seekGetLengthSidGetLastErrorGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileGetAddrInfoWadvapi32.dll ]kernel32.dll broken pipealarm clockbad messagefile existsbad addressRegCloseKeyCreateFileWDeleteFileWExitProcessFreeLibrarySetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dll broken pipealarm clockbad messagefile existsbad addressRegCloseKeyCreateFileWDeleteFileWExitProcessFreeLibrarySetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dll 0123456789CreateFilecreatetemp/dev/stdinstream endimpossibleexecerrdotSYSTEMROOTterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dll Interfacerwxrwxrwxpsapi.dll ]fork/execexecwaitinterruptbus errorFindCloseLocalFreeMoveFileWWriteFileWSASendTontdll.dll *syscall.DLL *syscall.DLL unicode.Bat null.inf.nanTrueTRUENullNULL.NaN.NAN.Inf.INFyaml.com.exe.bat unicode.Scr runtime.mSp .eq.runtime.msp 128]*runtime.msp *runtime.mSp 136]*runtime.msp *runtime.mSp ]*runtime.msp *runtime.msp itab.sys itab.*os.Sys runtime.sys .eq.os.Sys .eq.sys .eq.runtime.sys syscall.Sys runtime.(*pageAlloc).sys runtime.(*scavengeIndex).sys runtime.(*mheap).sys os.sys os.(*ProcessState).sys *runtime.sys *syscall.Sys *runtime.sys *os.Sys runtime.ini main.ini runtime.(*itab).ini internal/poll.ini path/filepath.ini internal/godebug.ini context.ini gopkg.in/yaml%2ev3.ini regexp.ini regexp/syntax.map.ini regexp/syntax.ini encoding/base64.ini os.ini internal/poll.(*FD).Ini internal/poll.(*pollDesc).ini internal/syscall/windows.ini io/fs.ini time.map.ini time.ini internal/syscall/windows/registry.ini syscall.ini internal/syscall/windows/sysdll.ini reflect.ini unicode.ini unicode.map.ini sync.ini math.ini errors.ini runtime.(*scavengerState).ini runtime.(*unwinder).ini runtime.(*p).ini runtime.(*addrRanges).ini runtime.(*pageAlloc).ini runtime.(*mspan).ini runtime.(*mheap).ini runtime.(*gcWork).ini runtime.(*scavengeIndex).ini runtime.(*gcControllerState).ini runtime.(*fixalloc).ini internal/bytealg.ini internal/cpu.Ini gopkg.in/yaml%2ev3.(*parser).ini regexp.(*machine).ini regexp.(*inputs).ini regexp/syntax.(*compiler).ini fmt.(*fmt).ini internal/poll.(*operation).Ini reflect.(*hiter).ini runtime.(*mSpanList).ini runtime.(*mcentral).ini ]*runtime.ini *runtime.ini gopkg.in/yaml%2ev3.(*parser).doc gopkg.in/yaml%2ev3.(*decoder).doc Temp SysDir UserProfile |
| File Access (UNICODE): |
| ntdll.dll winmm.dll ws2_32.dll advapi32.dll kernel32.dll powrprof.dll |
| Interest's Words: |
| zombie exec netsh attrib start pause shutdown systeminfo ping expand replace route |
| Anti-VM/Sandbox/Debug Tricks: |
| LabTools - procexp |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): WinAPI Sockets (WSACleanup) • Rule Text (Ascii): WinAPI Sockets (bind) • Rule Text (Ascii): WinAPI Sockets (listen) • Rule Text (Ascii): WinAPI Sockets (accept) • Rule Text (Ascii): WinAPI Sockets (connect) • Rule Text (Ascii): WinAPI Sockets (recv) • Rule Text (Ascii): WinAPI Sockets (send) • Rule Text (Ascii): Registry (RegCreateKeyEx) • Rule Text (Ascii): Registry (RegOpenKeyEx) • Rule Text (Ascii): Registry (RegSetValueEx) • Rule Text (Ascii): File (GetTempPath) • Rule Text (Ascii): File (CreateFile) • Rule Text (Ascii): File (WriteFile) • Rule Text (Ascii): File (ReadFile) • Rule Text (Ascii): Encryption API (CryptAcquireContext) • Rule Text (Ascii): Encryption API (CryptReleaseContext) • Rule Text (Ascii): Anti-Analysis VM (GetSystemInfo) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Anti-Analysis VM (CreateToolhelp32Snapshot) • Rule Text (Ascii): Stealth (VirtualAlloc) • Rule Text (Ascii): Execution (CreateProcessA) • Rule Text (Ascii): Execution (CreateProcessW) • Rule Text (Ascii): Execution (ResumeThread) • Rule Text (Ascii): Software that records user activity (Logger) |
| Intelligent String: |
| • kernel32.dll • L:\/125625nanNaNintmapptrfinobjgc %: gp *(in n= ) • stopm spinning nmidlelocked= needspinning=store64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine unreachable: : extra text: \.+*?()|[]{}$mime/multipartRegSetValueExWInstEmptyWidthsection_search_GetProcessTimesDuplicateHandleadvertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWProcess32FirstWUnmapViewOfFileFailed to load Failed to find 476837158203125invalid argSize<invalid Value>ImpersonateSelfOpenThreadTokenwrite heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockmalloc deadlockruntime error: elem size wrong with GC prog • invalid escape sequencepattern bits too long: create config.yaml errorread handler must be setexceeded max depth of %dwhile scanning an anchorexec: Stdout already setexec: Stderr already setfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryW116415321826934814453125582076609134674072265625hash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsbad defer entry in panicbypassed recovery failedstack trace unavailable • scanCmd: "ecls /clean-mode=none /no-quarantine {{file}}" • scanCmd: "MpCmdRun.exe -Scan -ScanType 3 -File {{file}} -DisableRemediation -Trace -Level 0x10" • ntdll.dll • winmm.dll • ws2_32.dll • advapi32.dll • powrprof.dll • io.EOF |
| Flow Anomalies: |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 675E1-676DF | ?? | .text | Potential obfuscated jump sequence detected, count: 51 |
| F82-F9F | ?? | .text | Unusual BP Cave, count: 30 |
| 2742-275F | ?? | .text | Unusual BP Cave, count: 30 |
| 3021-303F | ?? | .text | Unusual BP Cave, count: 31 |
| 3061-307F | ?? | .text | Unusual BP Cave, count: 31 |
| 9582-959F | ?? | .text | Unusual BP Cave, count: 30 |
| 9F62-9F7F | ?? | .text | Unusual BP Cave, count: 30 |
| 12621-1263F | ?? | .text | Unusual BP Cave, count: 31 |
| 14862-1487F | ?? | .text | Unusual BP Cave, count: 30 |
| 158A2-158BF | ?? | .text | Unusual BP Cave, count: 30 |
| 1B882-1B89F | ?? | .text | Unusual BP Cave, count: 30 |
| 21242-2125F | ?? | .text | Unusual BP Cave, count: 30 |
| 25962-2597F | ?? | .text | Unusual BP Cave, count: 30 |
| 259C2-259DF | ?? | .text | Unusual BP Cave, count: 30 |
| 2E5A2-2E5BF | ?? | .text | Unusual BP Cave, count: 30 |
| 2F4C1-2F4DF | ?? | .text | Unusual BP Cave, count: 31 |
| 32E02-32E1F | ?? | .text | Unusual BP Cave, count: 30 |
| 33061-3307F | ?? | .text | Unusual BP Cave, count: 31 |
| 330E1-330FF | ?? | .text | Unusual BP Cave, count: 31 |
| 33161-3317F | ?? | .text | Unusual BP Cave, count: 31 |
| 331E1-331FF | ?? | .text | Unusual BP Cave, count: 31 |
| 33261-3327F | ?? | .text | Unusual BP Cave, count: 31 |
| 332E1-332FF | ?? | .text | Unusual BP Cave, count: 31 |
| 33361-3337F | ?? | .text | Unusual BP Cave, count: 31 |
| 339E1-339FF | ?? | .text | Unusual BP Cave, count: 31 |
| 38762-3877F | ?? | .text | Unusual BP Cave, count: 30 |
| 40961-4097F | ?? | .text | Unusual BP Cave, count: 31 |
| 45182-4519F | ?? | .text | Unusual BP Cave, count: 30 |
| 467E1-467FF | ?? | .text | Unusual BP Cave, count: 31 |
| 498C1-498DF | ?? | .text | Unusual BP Cave, count: 31 |
| 49B82-49B9F | ?? | .text | Unusual BP Cave, count: 30 |
| 49F41-49F5F | ?? | .text | Unusual BP Cave, count: 31 |
| 5CF62-5CF7F | ?? | .text | Unusual BP Cave, count: 30 |
| 5DC81-5DC9F | ?? | .text | Unusual BP Cave, count: 31 |
| 5EF41-5EF5F | ?? | .text | Unusual BP Cave, count: 31 |
| 5F122-5F13F | ?? | .text | Unusual BP Cave, count: 30 |
| 61781-6179F | ?? | .text | Unusual BP Cave, count: 31 |
| 62641-6265F | ?? | .text | Unusual BP Cave, count: 31 |
| 64301-6431F | ?? | .text | Unusual BP Cave, count: 31 |
| 64542-6455F | ?? | .text | Unusual BP Cave, count: 30 |
| 65181-6519F | ?? | .text | Unusual BP Cave, count: 31 |
| 68E62-68E7F | ?? | .text | Unusual BP Cave, count: 30 |
| 68EE2-68EFF | ?? | .text | Unusual BP Cave, count: 30 |
| 690C2-690DF | ?? | .text | Unusual BP Cave, count: 30 |
| 69B61-69B7F | ?? | .text | Unusual BP Cave, count: 31 |
| 6A441-6A45F | ?? | .text | Unusual BP Cave, count: 31 |
| 84122-8413F | ?? | .text | Unusual BP Cave, count: 30 |
| 86FE2-86FFF | ?? | .text | Unusual BP Cave, count: 30 |
| 8E1C2-8E1DF | ?? | .text | Unusual BP Cave, count: 30 |
| 92502-9251F | ?? | .text | Unusual BP Cave, count: 30 |
| 92582-9259F | ?? | .text | Unusual BP Cave, count: 30 |
| A92E2-A92FF | ?? | .text | Unusual BP Cave, count: 30 |
| AAF21-AAF3F | ?? | .text | Unusual BP Cave, count: 31 |
| D4222-D423F | ?? | .text | Unusual BP Cave, count: 30 |
| F95C1-F95DF | ?? | .text | Unusual BP Cave, count: 31 |
| FA402-FA41F | ?? | .text | Unusual BP Cave, count: 30 |
| 100E62-100E7F | ?? | .text | Unusual BP Cave, count: 30 |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 1976555 | 58,7589% |
| Null Byte Code | 590072 | 17,5416% |
| NOP Cave Found | 0x9090909090 | Block Count: 3 | Total: 0,0002% |
© 2025 All rights reserved.